Enterprise Mobility and Security Blog

RSS

Howdy folks,

Time for another Azure AD Mailbag – this time Chad from our Customer and Partner Success teams is sharing some new/advanced tips on using Azure AD Connect sync.

Hope you have a great weekend!

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

——————–

All right, it’s time for some more mandatory fun! Chad here back again with a new FAQ Mailbag. In this blog, we are talking Azure AD Connect (a bit of a change from the previous blogs that I usually cover around MFA). The Customer Success Team receives many questions (some are already documented)  I’ve included links to the documentation as it relates to the questions to help get you pointed at the right place.

 

Question 1:

I accidently synced about 1k service accounts into Azure AD and I need to remove them. I used OU filtering to scope them out but I’m receiving an error on my export. What’s going on?

 

Answer 1:

Azure AD Connect has a feature that prevents you from accidently deleting your objects in Azure AD. This is enabled by default and configured to not allow you to export with more than 500 deletes (this is configurable with using Enable-ADSyncExportDeletionThreshold). This is commonly done when admins change their filtering with entire OU or domains is unselected. This can also happen if you add/update a sync rule in the Synchronization Rule Editor and scope out objects such as using the cloudFilter = true type of rule.

You will receive information in your Event logs that will state why your export has failed and will appear in the Synchronization Service Manager UI under the Export profile:

clip_image001

 

If you care to delete everything, you can temporary disable it with the Disable-ADSyncExportDeletionThreshold cmd. We recommend you re-enable it through PowerShell with Enable-ADSyncExportDeletionThreshold.

Andreas does a fantastic job covering it all in his blog: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/.

 

Question 2:

I just finished upgrading from an older Azure AD Connect to the latest version of Azure AD Connect. It kicked off a delta sync at the end (Because I checked to run a sync afterwards). It usually does a full synchronization afterwards – is this normal?

 

Answer 2:

Earlier versions would always trigger a Full Import. With the recent builds it depends on whether any standards sync rules were changed or not. If any standard sync rules were changed in a build – then upgrade to that build will trigger a Full Import/Sync cycle. By doing this, it minimize customer customer’s impact (especially if you have 100k employees).

 

Question 3:

Our company is onboarding to O365 for the first time and we have about 60k employees. During our initial synchronization, we received multiple error on the Azure AD export. What are all of these errors?

 

Answer 3:

This is a complex answer that I will attempt to simplify. Export errors are very important to understand – In Azure AD we have a requirement for uniqueness for certain attributes such as UPN and ProxyAddress. In the past, Sync attempted to update the export object and if there was an attribute conflicted, it failed and generated an error report for each attempt; additionally, this error was logged by the sync client.

Today, instead of the previous behavior Azure Active Directory “quarantines” the duplicated object that does not meet uniqueness. If it is a required attribute such as the UPN, it will put a placeholder value (e.g. +<4digitnumber>@.onmicrosoft.com format). If the attribute is not required (such as the case of ProxyAddress), the attribute will be placed in quarantine while the object is created or updated. For a list of PowerShell cmds to pull these Sync errors, visit here.

If you drill down on the export errors, you can view the detailed explanation of the conflict. This can also be viewed in the Event Viewer.

 

clip_image001[5]

 

You can also view directory synchronization errors in the Office 365 admin center (this is only limited to User objects – not applicable for Groups, Contacts or PublicFolders).

 

image

 

Ready to start solving some of your errors? Start here: Duplicate or invalid attributes prevent directory synchronization in Office 365

Please visited the reference document above – it goes into detail that was not covered here.

 

Question 4:

I’m setting up Azure AD Connect for the first time. I’m trying to understand when I should use the full version of SQL versus using the SQL Express. I only have 30K employees but we may grow – is there any guidance around this?

 

Answer 4:

Choosing which SQL to use (Express or Full SQL) mostly depends on the size of the number of objects that your company plans on syncing to Azure Active Directory. If you plan on syncing near 100k objects, you should choose Full SQL. Remember, do not compare 100k to the number of employees. Other objects like devices and groups go into this count.

 

Not only think of how many objects you have today but what do you plan on doing tomorrow. Ask yourself questions like “Am I acquisitioning more companies this year? Do I have any new projects coming up that would require me to sync more data to Azure Active Directory? Do I plan on growing my employee/contractor base?” Thinking ahead will help you make this decision. For most small/medium size customers, SQL Express works just fine for them.

 

Use the table below to help understand how SQL compares to number of objects, hard drive size, and performance. Also, visit the article below that goes into more detail on this subject:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/

clip_image001[7]

 

Question 5:

Can we use group managed service (gMSA) to run the sync process for Azure AD Connect?

Answer 5:

No we currently do not support gMSAs.

 

Question 6:

How do I know if I’m on the latest version of Azure AD Connect? Is there a version page somewhere?

Answer 6:

Yes! Please see the Version History page at https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-version-history/

 

Question 7:

Does Azure AD Connect support characters from other languages in UPNs?

Answer 7:

UPN must follow RFC2822. IDFix will warn you if you are not compliant.

 

Thanks for following our Mailbag! As a little bonus for those that read all the way to the end, the Customer Success Team also leads webinars available free to our customers that focuses on many aspects of Azure AD. Join the conversation! I look forward to meeting with ya’ll in our live presentation.

 

We hope you’ve found this post and this series to be helpful. For any questions you can reach us at
AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

–Chad Hasbrook and Mark Morowczynski